Cyber Incident Victim: Mango Markets
Date:
Jun 2022
Location:
United States of America
Summary
A Google Cloud Armor customer experienced the largest reported Layer 7 DDoS attack to date, peaking at 46 million requests per second. The attack originated from 5,256 IPs across 132 countries, leveraging HTTPS requests and matching the Mēris attack methodology that exploits vulnerable proxies. Cloud Armor's Adaptive Protection detected early traffic anomalies, generated a protective signature, and alerted the customer, who deployed a throttling rule before the attack reached full intensity. This proactive mitigation blocked malicious traffic at Google's network edge while maintaining service availability, causing the attacker to cease efforts after 69 minutes as the attack became unsustainable.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 1, 2022, a Google Cloud Armor customer experienced a significant HTTPS DDoS attack targeting their HTTP/S Load Balancer. The incident began at approximately 9:45 a.m. Pacific Time with an initial attack volume exceeding 10,000 requests per second (rps). Within eight minutes, the attack escalated to 100,000 rps. During this early phase, Cloud Armor's Adaptive Protection system detected anomalous traffic patterns, analyzed dozens of traffic features, and generated an alert containing a signature of the malicious activity along with a recommended blocking rule. The customer's security team deployed this rule into their security policy before the attack reached its maximum intensity. Over the following two minutes, the attack surged dramatically, peaking at 46 million rps—the largest Layer 7 DDoS attack ever observed at that time, exceeding the previous record by at least 76%. The attack subsided gradually and concluded 69 minutes after its initiation at 10:54 a.m., with evidence suggesting the attackers discontinued efforts due to high operational costs and ineffective disruption of the target service.
The attack originated from 5,256 source IP addresses across 132 countries, with the top four countries contributing approximately 31% of the total traffic volume. Attackers utilized encrypted HTTPS requests and HTTP pipelining, requiring minimal TLS handshakes despite the encrypted payloads. Approximately 1,169 source IPs (22%) were identified as Tor exit nodes, though these accounted for only 3% of the peak traffic. The geographic distribution and exploitation of unsecured proxies aligned with characteristics of the Mēris attack methodology. Cloud Armor mitigated the attack at Google's network edge by enforcing the customer-deployed rate-limiting rule, which operated in preview mode initially to validate effectiveness before full enforcement. This approach blocked malicious traffic while preserving legitimate user access, resulting in uninterrupted service availability for the targeted applications throughout the incident. The defensive measures successfully contained the attack upstream from the customer's infrastructure, preventing any degradation of performance or availability.